Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Sofacy APT Adopts New Tactics and Far East Targets

A new analysis of the Russian-speaking Sofacy APT gang shows a continual march toward Far East targets and overlapping of activities with other groups such as Lamberts, Turla and Danti.

CANCUN, Mexico – A new analysis of the Russian-speaking Sofacy APT gang shows a continual march toward Far East targets and overlapping of activities with other groups such as Lamberts, Turla and Danti.

Researchers at Kaspersky Lab this morning at its Security Analyst Summit, released their update on Sofacy, also known as APT28, Fancy Bear, Sednit and a handful of other monikers. The report shows how Sofacy is continuing to evolve in 2018.

Most intriguing to researchers is the overlap between Sofacy and the English-speaking threat actor behind the Lamberts, also known as Longhorn. Researchers made the discovery connecting the two APTs when the presence of Sofacy was found on a server in China belonging to a company with ties to the aerospace and defense industry. The server was previously identified as compromised by Grey Lambert malware.

In this case, Sofacy’s SPLM (aka Xagent, aka CHOPSTICK) tool was found on the server, but it’s unclear what tactics were used by the APT to plant the malware. Researchers theorize a PowerShell script or legitimate but vulnerable web app was exploited to load and execute the SPLM code.

The samples of SPLM that researchers examined demonstrate how Sofacy now maintains “distinct subdivisions for each of its main tools, with clusters for the coding, development and targeting of SPLM, GAMEFISH, and Zebrocy,” according to Kaspersky researchers.

“The unusual thing about what happened with the SPLM is that in 2018, we’re seeing them break out their modules. Whether it is file stealers, remote shells, or key loggers, we are seeing more individual modules being deployed onto systems,” said Kurt Baumgartner, a researcher with Kaspersky Lab’s Global Research and Analysis Team.

“They are beginning to shift to chunks and pieces of modules and we are seeing a lot of .Net and Power Shell malware activity from these guys,” Baumgartner said.

Sofacy’s roots go back to around 2007, Kaspersky researchers said, and has changed its strategy a number of times, notably in 2009 and 2011.

“In all likelihood, they noticed in 2017 that targets they were attempting to deploy this full back door (SMLP/Xagent) to, was simply not effective anymore,” Baumgartner said. “The Xagent code base is pretty well known. When you look at the 2016 DNC hack, they took that same code base and made a few changes to the encryption cyphers to hide away settings such as domains, IP addresses, debug messages and file pads. That code modification didn’t hide (SPLM) from malware tools. So it isn’t really effective in getting what they wanted anymore.”

Baumgartner said he expects to Sofacy to continue its pivot to the Far East in 2018 along with decreased reliance on C++ code in exchange for more .NET and PowerShell scripts.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.